Previously we appended a dot at the end of IP addresses and domain names in the
cURL security helper, but it causes issues with Google OAuth so this patch removes it.
Previously some of the unit tests were passing "by accident" becuase
we had the security helper letting through domains where the DNS lookup
failed. That behaviour has changed and now such domains are blocked.
Additionally tests for domains with multiple A records and weird Unicode
stuff have been added.
This patch also mocks the DNS resolution in the test, rather than actually
resolving the domain.
Freaky deaky Unicode/octal/hex domains can be resolved by cURL but are technically not valid.
This patch causes anything that Moodle does not consider to be a valid domain or IP to be blocked
by the cURL security helper.
The google_oauth class extends oauth2client which was modified to send "Accept" headers.
The "Accept" headers break picasa and could break any other plugin that was using google_oauth.
The recordsets used for search indexing sometimes return results
which are invalid (e.g. cannot be found in database). When this
happens, the result in the iterator for the recordset will be
false. Due to a bug, the iterator used to stop when it encountered
a false value, which prevented indexing from getting past the
problematic record.
In addition, the iterator that skips future data resulted in the
current() function of its parent indicator being called twice per
entry, which meant that search indexing called get_document()
twice as many times.
If any of the access rules require the attempt to open in a new window, assume we
require javascript to attempt the quiz. This makes it harder to bypass the javascript
pseudo security restrictions.
The mtrace function is preferable for plain text logging/progress
output because it can be redirected if necessary. By convention it
is normally used in cron and can be used in CLI tasks if required.
This change makes the text_progress_trace class use mtrace instead
of echo and then flush. (Default behaviour of mtrace is to do
exactly that, but it can be redirected too.)
Before this change, if anybody is relying on mtrace behaviour to
redirect logs of cron output, this will fail for some parts of the
search cron output (and some other places like auth plugins).
When the teacher is upgrading a previously entered grade, we re-display
exactly what they typed before if possible, rather than displaying with
a set number of decimal places.
I removed the additional tooltips because I think that they are just used
in the notifications and messages context and duplicate the all over used
title tag that gives the same information when hovering. So the whole system
stays more consistently.
Copy / adapt some styles from the bootstrap progress widget to match the DOM used for file upload progress.
Bootstrap changed this alot in the current beta so I opted to do a minimal change (affect the scss for boost only), rather
than adapt the HTML to something that will change again anyway when we upgrade to the release version of bootstrap 4.
This patch conbines valuable contributions from Kashmira Nagwekar and
Luca Bösch. Many thanks to them. However, the final form of the fix,
and hence the blame, falls to me -- Tim.
There were several issues here:
* The load_questions_usages_by_activity method in
question/engine/datalib.php was incorrectly treating the case
when no data was returned. (Looks like a historic copy-pase from
other methods that fetch one item by unique id, which therefore
must exist.)
* The report was not correctly handling the display when the 'Which
tries' was set to 'with, and without, attempts'.
* It was possible to select the 'All tries' option when also saying
'Users without attempts'. This combination makes not sense, so
a disabledIf rule was added to the form.
If you have Global Search set up on a site without file
indexing enabled, then at a later date you enable file indexing
files associated with existing objects are not added.
The only way to have files for existing objects indexed is to
run a reindex of all content.
This patches updates the file indexing language string in the
solr search settings of Global Search to make this clear
to the site administrator.
Before this implementation, both resourcekey and password
were not being included in the backups, so old backups are
missing them. To keep upwards compatibility and avoid a PHP
Notice (undefined property), existence is checked via isset(),
that is the usual way all over the restore process.
SCORM 2004 uses the element 'cmi.completion_status' to store the
completion status of a SCO, not 'cmi.core.lesson_status'.
This amends scorm_check_mode so that the right element is looked up.
When scorm_version_check returns false, SCORM 1.2 is assumed.
Significant string changes:
* errorretrievingkey in message_airnotifier - improved wording and
removing reference to Moodle.org
* enddate_help and courseduration_desc in core - clearer wording
explaining what the date actually does
* restore:viewautomatedfilearea in core_role - changing wording to match
the behaviour
* dropzones_help in qtype_ddmarker - improved wording
* autologinkeygenerationlockout in tool_mobile - updated error message
* configallowemailaddresses in core_admin - clearer description
* subscriptionmode_helpin mod_forum - removing misleading sentence about
subscription mode changes not affecting existing users
- Uses site generated (on backup) key.
- Can be applied potentially everywhere in the restore process.
- Covered with unit tests.
- Authentication / integrity aware so can be used between any 2 servers
(just requires matching key).
- Built using standard backup custom fields.
- Can be applied potentially everywhere.
- Automatically addded 'encrypted' attribute.
- Defaults to site generated key.
- Enforces key robutness / provides authentication (hmac integrity)
- Covered with unit tests.
We were previously testing tha the parent is valid, which it was, and
then fetching the current record, before fetching data from it.
However, the way in which the recordset walk works, the valid function
checks whether the _record_ itself is valid, whilst the current allows
for a callback to be applied.
In this instance, the data-entry was failing because the count of
indexfields was < 2. The recordset data itself was valid, but the view
was not, and as a result, the current() function returned false.
This false was not previously handled.
I've changed the logic so that we handle this case, and have removed a
double-negative in the process.
Due to race conditions in the function subscribe_user
it was possible to create duplicate forum subscriptions.
This lead to error messages, when displaying the list of
all subscriptions.
This patch removes all existing duplicate entries and
creates a unique db key to prevent this from happening in
the future.
list_user_competencies_to_review() orders by shortname, but the test
creates 2 user competencies with the same short name, resulting in
unpredictable results. This patch fixes that.
The item field is defined as PARAM_TEXT (no HTML tags allowed except
for multilang).
Using the s that add quotes to HTML characters we avoid potential Web
Services invalid parameters errors.
The page admin/search.php is the default administration page in Boost
based themes. It should behave the same as admin/index.php or
my/index.php and check if the site needs upgrade.
When the wwwroot indicates https support and a page is accessed over http,
redirect to the wwwroot. This is a better experience than displaying an error.
Backport of MDL-58318.
The values stored in these user preferences were valid for the old
flickr auth mechanism and are not usable any more. The new oauth1 based
version needs to store both the token (in the flickr_access_token
preference) and the token secret (flickr_access_token_secret). The new
version does not need to store the user's nsid.
The cryptic names of these legacy settings are a result of how dealing
with user preferences was originally implemented.
The patch makes the Flickr repository use the new oauth1 based client.
Beside that, other improvements include:
* Does not attempt to guess the photo URL any more. Instead uses
url_sq and url_o extras of the flickr.photos.search call.
* The photos.search does not return the information about the photo size
so we set it to null (previously was returned as 'unknown' which made
it be displayed as zero).
* Does not perform additional API request to obtain the manage URL, uses
https://www.flickr.com/photos/organize instead.
Provide a more meaningful error message and debuginfo allowing to
diagnose what is going on. In case of flickr, this is typically thrown
when flickr API responses with their "bad, bad panda" HTML page instead
of the expected reply.
As per the oauth1 spec, the oauth_callback is supposed to be passed only
when obtaining the initial request token. The client used to append it
automatically to all requests which broke the request signature.
Fixed to return both those roles in the profileroles site policy and
any roles which the current user can assign in the respective context,
meaning a user can see a link to any role they can assign.
My solution is to remove the padding that's added within scss/bootstrap/_navbar.scss (line 72)
for the case that a logo (has-logo) is uploaded and displayed within the navbar.
Removing this padding will center the image within the navbar.
Changes to the folder contents were not resulting in the
timemodied of the folder activity being set. This prevented
global search from picking up the changes.
If an indexed file has been modified or deleted the search index
will still reference the old file. Remove the file from search
results until the change has been indexed.
We can't really control the direct web access to directories in dirroot,
that is part of the server setup. So we at least warn admins as they may
not realize the risks of having directories like vendor or node_modules
exposed.
Credit goes to Petr Škoda for mentioning the PHPUnit issue CVE-2017-9841
to me.
Make sure to check that $user in enrolled in $course before checking
whether the current user has capabilities in that course, and make sure
that we don't check user context caps when handling a specific course.
The course object passed as parameter to extend_navigation_user
callback contained only a few parameters, some parameters like
showgrades or showreports were missing.
The callback should receive a full course object.
Error messages should be prominent to screen readers as well as visual users,
adding the role alert is recommended way to achieve it for screen readers and this is
also what we do for ->notification apis
* Removed the div with the class 'form-group' that's enclosing the
select element and friends. It's not needed since the urlselect template
is an inline form.
* Also, for completeness, I added the helpicon data for the template's
context.
Make indexing of user messages tolerant to user deletion.
When creating the search document for user messages,
add a check to see if the user has been deleted in the
system. If they have been deleted abort creating the search
document.
This is to avoid rasining an error when trying to get the
user context for a deleted user.
Instead of putting vertical-align: middle as indication for participants table
headers, none is set which leads to theme default, i.e. bottom in Clean and Boost.
This is an old bit of UI inconsistency. For some reason it used to take
people to the list of all courses. Given modern Moodle usability
conventions, that does not really make sense any more.
Change to download_rewrite_pluginfile_urls() ensuring prefix isn't
added to file links when downloading with the downloadasfolders
user preference set to true. Links to files in onlinetext now work
when downloading as folders.
assign->download_submissions():
- groupname now only added to zip file name if not empty, fixing a
double hyphen bug in the file name.
assign->download_rewrite_pluginfile_urls():
- groupname is now correctly determined using get_submission_group()
instead of using groups_get_activity_group() which fails when there
is no active activity group set. Uses the same logic that
download_submission() uses to prefix file names. Fixes a bug where an
empty groupname prefix was generated, resulting in broken links.
This function used to check only those courses shared by both users
when it should have been checking all courses in which $user is
enrolled. Managers can view a user's course profile without necessarily
sharing the course (being enrolled in) with the $user.
* We have duplicate input event handlers for the autocomplete element
which are both firing when the input element's value is being set.
In case an AJAX handler is defined for the autocomplete suggestions,
this causes the autocomplete suggestions so show "No suggestions" first
and then load the results from the AJAX handler a little bit later.
There are times, such as when viewing a user profile within a course,
when user_can_view_profile() should be passed a course to force it to
restrict its capability checks to only the supplied course. This change
makes sure that core_renderer->context_header() calls this correctly.
This patch adds the missing 'escaping' option to all remaining
xmlrpc_encode_request() calls in the moodle core code.
Without this, the xmlrpc_decode_request() call on the server side may
lead to wrongly decoded non-ascii characters.
The unit test was creating four events, and then relying on them being
retrieved in the order in which they were created.
I've modified the test to:
* ensure timecreated are spaced apart; and
* add an order by timecreated when fetching them.
These tests are an abuse and should not have been accepted. Behat tests should use real pages.
Adding testing only entry points to Moodle is a bad security practice and is not the purpose of behat.
For pass/fail setting to work properly, activities must have 'Require grade' completion set,
just make sure we don't allow activities without this setting to be set
slightly refactor duplicate_module() code so it does not rebuild course cache
twice and also we do not need to move module if it is already the last module in a section
When updating the mysql system to utf8mb4 not all tables are
converted to the row format of compressed or dynamic. If a new
index is created there is a possibility that the table could be
using compact or redundant and then an error will be shown saying
that the index size is too large. This fix handles this exception
and converts the table over to compressed.
Do not use custom pfofile field name as a field alias in DB query, use field id instead.
DML lowercases all column aliases and fields with uppercase letters no longer match.
Even when course module is not available the intro text can still be visible on the
course page. In this case the availability restriction is displayed to the student
but link to the activity is not available
Since the refactoring towards using the filepicker for file and picture
fields there are several variables, which are set but never read. Thus,
I removed them.
When a file or picture field was added with existing records, these
records could not be saved, since the draft area was not created
properly.
Co-authored-by: Jérôme Mouneyrac <mouneyrac>
Due to Moodle 2.7 and Moodle 3.4 not having a common compatible php version
between them to upgrade from Moodle 3.4 from Moodle 2.7 you'll need to upgrade
to a higher version first or upgrade php at the same time as upgrade,
this encourages the former.
Removed the concat to generate the uniqueid field for the popup
notifications data. The concat can't be used directly in the SQL because
the syntax changes between databases. The sql_concat helper can't be
used because it assumes all values are database columns (which they
aren't in this case).
Instead I've just removed the uniqueid field because it isn't required
for the union all to work and the field isn't being used by anything.
This should fixed the compatibility issues between databases.
Based on work by Tim Lock <tim.lock@blackboard.com>
While upgrading to Moodle 2.8 or above it is possible for it to fail if
the site has multiple graded attempts for a user without an associated
submission record. This caused the upgrade to violate the databases
unique key rules.
This same issue could apply to a backup that was created of an
assignment that had this issue, when it is restored into Moodle 2.8 or
later.
This change adds the attempt number from the grade table into the query
that is inserting the new submission record (thanks to Tim). It also
moves the insert query before the latest flag is set on submission
records to ensure that only one has it, without this it is possible that
multiple submission records would be marked as the latest after an
upgrade or restore.
The OR clause in these queries used different sets of columns to select
userid which meant that the indexes that included user id could not be
used.
This change splits the query so that each individual part can use one of
the indexes that includes a userid which speeds them up considerably.
$string['enablesmartappbanners_desc']='This will display a banner promoting the Moodle Mobile app when visiting the site in Mobile Safari.';
$string['enablesmartappbanners_desc']='If enabled, a banner promoting the mobile app will be displayed when accessing the site using a mobile browser.';
$string['forcedurlscheme']='If you want to allow only your custom branded app to be opened via a browser window, then specify its URL scheme here; otherwise leave the field empty.';
$string['host_url']='Specify LDAP host in URL-form like \'ldap://ldap.myorg.com/\' or \'ldaps://ldap.myorg.com/\'';
$string['host_url_key']='Host URL';
$string['idnumber_attribute']='If the group membership contains distinguised names, specify the same attribute you have used for the user \'ID Number\' mapping in the LDAP authentication settings';
$string['idnumber_attribute']='If the group membership contains distinguished names, specify the same attribute you have used for the user \'ID Number\' mapping in the LDAP authentication settings.';
$string['idnumber_attribute_key']='ID number attribute';
$string['ldap_encoding']='Specify encoding used by LDAP server. Most probably utf-8, MS AD v2 uses default platform encoding such as cp1252, cp1250, etc.';
$string['memberattribute']='LDAP member attribute';
$string['memberattribute_isdn']='If the group membership contains distinguised names, you need to specify it here. If it does, you also need to configure the remaining settings of this section';
$string['memberattribute_isdn']='If the group membership contains distinguished names, you need to specify them here. If so, you also need to configure the remaining settings in this section.';
$string['nested_groups']='Do you want to use nested groups (groups of groups) for enrolment?';
$string['nested_groups_key']='Nested groups';
@@ -97,7 +97,7 @@ $string['nosuchrole'] = "No such role: '{\$a}'\n";
$string['objectclass']='objectClass used to search courses. Usually \'group\' or \'posixGroup\'';
$string['objectclass_key']='Object class';
$string['ok']="OK!\n";
$string['opt_deref']='If the group membership contains distinguised names, specify how aliases are handled during search. Select one of the following values: \'No\' (LDAP_DEREF_NEVER) or \'Yes\' (LDAP_DEREF_ALWAYS)';
$string['opt_deref']='If the group membership contains distinguished names, specify how aliases are handled during a search. Select one of the following values: \'No\' (LDAP_DEREF_NEVER) or \'Yes\' (LDAP_DEREF_ALWAYS).';
$string['opt_deref_key']='Dereference aliases';
$string['phpldap_noextension']='<em>The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled if you want to use this enrolment plugin.</em>';
$string['pluginname']='LDAP enrolments';
@@ -116,11 +116,11 @@ $string['unassignrole'] = "Unassigning role '{\$a->role_shortname}' to user '{\
$string['unassignroleid']="Unassigning role id '{\$a->role_id}' to user id '{\$a->user_id}'\n";
$string['unassignrolefailed']="Failed to unassign role '{\$a->role_shortname}' to user '{\$a->user_username}' from course '{\$a->course_shortname}' (id {\$a->course_id})\n";
$string['updatelocal']='Update local data';
$string['user_attribute']='If the group membership contains distinguised names, specify the attribute used to name/search users. If you are using LDAP authentication, this value should match the attribute specified in the \'ID Number\' mapping in the LDAP authentication plugin';
$string['user_attribute']='If the group membership contains distinguished names, specify the attribute used to name/search for users. If you are using LDAP authentication, this value should match the attribute specified in the \'ID Number\' mapping in the LDAP authentication plugin.';
$string['user_attribute_key']='ID number attribute';
$string['user_contexts']='If the group membership contains distinguised names, specify the list of contexts where users are located. Separate different contexts with \';\'. For example: \'ou=users,o=org; ou=others,o=org\'';
$string['user_contexts']='If the group membership contains distinguished names, specify the list of contexts where users are located. Separate different contexts with a semi-colon (;). For example: \'ou=users,o=org; ou=others,o=org\'.';
$string['user_contexts_key']='Contexts';
$string['user_search_sub']='If the group membership contains distinguised names, specify if the search for users is done in subcontexts too';
$string['user_search_sub']='If the group membership contains distinguished names, specify if the search for users is done in sub-contexts too.';
$string['clialreadyconfigured']='El fitxer config.php ja existeix, feu servir dmin/cli/install_database.php si voleu instal·lar este lloc web.';
$string['clialreadyinstalled']='El fitxer config.php ja existeix, feu servir admin/cli/upgrade.php si voleu actualitzar este lloc web.';
$string['clialreadyconfigured']='El fitxer config.php ja existeix, feu servir admin/cli/install_database.php si voleu instal·lar el Moodle en este lloc web.';
$string['clialreadyinstalled']='El fitxer de configuració config.php ja existeix. Feu servir admin/cli/upgrade.php si voleu actualitzar Moodle per a este lloc web.';
$string['cliinstallheader']='Programa d\'instal·lació de línia d\'ordes de Moodle {$a}';
$string['langdownloaderror']='Dissortadament l\'idioma "{$a}" no es pot baixar. La instal·lació prosseguirà en anglés.';
$string['pathssubadmindir']='Alguns serveis d\'allotjament web (pocs) utilitzen un URL especial /admin p. ex. per a accedir a un tauler de control o quelcom paregut. Malauradament això entra en conflicte amb la ubicació estàndard de les pàgines d\'administració de Moodle. Podeu arreglar este problema canviant el nom del directori d\'administració de Moodle en la vostra instal·lació i posant el nou nom ací. Per exemple <em>moodleadmin</em>. Això modificarà els enllaços d\'administració de Moodle.';
$string['pathssubdataroot']='Necessiteu un espai on Moodle puga guardar els fitxers penjats. Este directori hauria de tindre permisos de lectura I ESCRIPTURA per a l\'usuari del servidor web (normalment \'nobody\' o \'apache\'), però no cal que siga accessible directament via web. L\'instal·lador provarà de crear-lo si no existeix.';
Sil\'adreça no és correcta, canvieu l\'URL en el vostre navegador per reiniciar la instal·lació amb un altre valor.';
$string['pathssubadmindir']='Alguns serveis d\'allotjament web (pocs) utilitzen /admin com a URL especial perquè accediu a un tauler de control o alguna cosa paregut. Malauradament, això entra en conflicte amb la ubicació estàndard de les pàgines d\'administració de Moodle. Podeu arreglar este problema canviant el nom del directori d\'administració de Moodle en la vostra instal·lació i posant el nou nom ací. Per exemple: <em>moodleadmin</em>. Això arreglarà els enllaços d\'administració de Moodle.';
Sielvostrellocésaccessibletantdesd\'Internet com des d\'una xarxa interna (anomenada de vegades intranet), utilitzeu l\'adreça pública ací.</p> <p>Si l\'adreça actual no és correcta, canvieu l\'URL a la barra d\'adreces del navegador i reinicieu la instal·lació.';
$string['welcomep20']='Esteu veient esta pàgina perquè heu instal·lat amb èxit i heu executat el paquet <strong>{$a->packname} {$a->packversion}</strong>. Felicitacions.';
$string['welcomep30']='Esta versió de <strong>{$a->installername}</strong> inclou les aplicacions necessàries per crear un entorn en el qual funcione <strong>Moodle</strong>:';
$string['welcomep30']='Esta versió de <strong>{$a->installername}</strong> inclou les aplicacions necessàries per crear un entorn en el qual funcione <strong>Moodle</strong>, concretament:';
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.